{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "#/components/schemas/JwtSignerPluginConfig", "title": "JwtSignerPluginConfig", "x-speakeasy-entity": "PluginJwtSigner", "properties": { "config": { "type": "object", "properties": { "access_token_audience_claim": { "description": "Specify the claim in an access token to verify against values of `config.access_token_audiences_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "aud" ] }, "access_token_audiences_allowed": { "description": "The audiences allowed to be present in the access token claim specified by `config.access_token_audience_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_consumer_by": { "description": "When the plugin tries to apply an access token to a Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username`, and `custom_id`.", "type": "array", "items": { "enum": [ "custom_id", "id", "username" ], "type": "string" }, "default": [ "custom_id", "username" ] }, "access_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (for example, `sub` or `username`) in an access token to Kong consumer entity.", "type": "array", "items": { "type": "string" } }, "access_token_endpoints_ssl_verify": { "description": "Whether to verify the TLS certificate if any of `access_token_introspection_endpoint`, `access_token_jwks_uri`, or `access_token_keyset` is an HTTPS URI.", "type": "boolean", "default": true }, "access_token_expiry_claim": { "description": "Specify the expiry claim in an access token to verify if the default `exp` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "exp" ] }, "access_token_introspection_audience_claim": { "description": "Specify the claim in an access token introspection to verify against values of `config.access_token_introspection_audiences_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "aud" ] }, "access_token_introspection_audiences_allowed": { "description": "The audiences allowed to be present in the access token introspection claim specified by `config.access_token_introspection_audience_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_introspection_authorization": { "description": "If the introspection endpoint requires client authentication (client being the JWT Signer plugin), you can specify the `Authorization` header's value with this configuration parameter.", "type": "string" }, "access_token_introspection_body_args": { "description": "This parameter allows you to pass URL encoded request body arguments. For example: `resource=` or `a=1&b=&c`.", "type": "string" }, "access_token_introspection_consumer_by": { "description": "When the plugin tries to do access token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values.", "type": "array", "items": { "enum": [ "custom_id", "id", "username" ], "type": "string" }, "default": [ "custom_id", "username" ] }, "access_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in access token introspection results to the Kong consumer entity.", "type": "array", "items": { "type": "string" } }, "access_token_introspection_endpoint": { "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter.", "type": "string" }, "access_token_introspection_expiry_claim": { "description": "Specify the expiry claim in an access token introspection to verify if the default `exp` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "exp" ] }, "access_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting an access token, use this parameter to specify the value. By default, the plugin sends `hint=access_token`.", "type": "string", "default": "access_token" }, "access_token_introspection_issuer_claim": { "description": "Specify the claim in an access token introspection to verify against values of `config.access_token_introspection_issuers_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "iss" ] }, "access_token_introspection_issuers_allowed": { "description": "The issuers allowed to be present in the access token introspection claim specified by `config.access_token_introspection_issuer_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns an access token in one of the keys (or claims) within the introspection results (`JSON`). If the key cannot be found, the plugin responds with `401 Unauthorized`. Also if the key is found but cannot be decoded as JWT, it also responds with `401 Unauthorized`.", "type": "array", "items": { "type": "string" } }, "access_token_introspection_leeway": { "description": "Adjusts clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time in seconds. You can disable access token introspection `expiry` verification altogether with `config.verify_access_token_introspection_expiry`.", "type": "number", "default": 0 }, "access_token_introspection_notbefore_claim": { "description": "Specify the notbefore claim in an access token introspection to verify if the default `nbf` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "nbf" ] }, "access_token_introspection_optional_claims": { "description": "Specify the optional claims of the access token introspection result. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "access_token_introspection_required_claims": { "description": "Specify the required claims that must be present in the access token introspection result. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "access_token_introspection_scopes_claim": { "description": "Specify the claim/property in access token introspection results (`JSON`) to be verified against values of `config.access_token_introspection_scopes_required`. This supports nested claims. For example, with Keycloak you could use `[ \"realm_access\", \"roles\" ]`, which can be given as `realm_access,roles` (form post). If the claim is not found in access token introspection results, and you have specified `config.access_token_introspection_scopes_required`, the plugin responds with `403 Forbidden`.", "type": "array", "items": { "type": "string" }, "default": [ "scope" ] }, "access_token_introspection_scopes_required": { "description": "Specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.access_token_introspection_scopes_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_introspection_subject_claim": { "description": "Specify the claim in an access token introspection to verify against values of `config.access_token_introspection_subjects_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "sub" ] }, "access_token_introspection_subjects_allowed": { "description": "The subjects allowed to be present in the access token introspection claim specified by `config.access_token_introspection_subject_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_introspection_timeout": { "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on access token introspection.", "type": "number" }, "access_token_issuer": { "description": "The `iss` claim of a signed or re-signed access token is set to this value. Original `iss` claim of the incoming token (possibly introspected) is stored in `original_iss` claim of the newly signed access token.", "type": "string", "default": "kong" }, "access_token_issuer_claim": { "description": "Specify the claim in an access token to verify against values of `config.access_token_issuers_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "iss" ] }, "access_token_issuers_allowed": { "description": "The issuers allowed to be present in the access token claim specified by `config.access_token_issuer_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_jwks_uri": { "description": "Specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the access token.", "type": "string" }, "access_token_jwks_uri_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_jwks_uri` is an https uri that requires mTLS Auth.", "type": "object", "properties": { "id": { "type": "string" } }, "x-foreign": true }, "access_token_jwks_uri_client_password": { "description": "The client password that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_username`", "type": "string", "x-encrypted": true, "x-referenceable": true }, "access_token_jwks_uri_client_username": { "description": "The client username that will be used to authenticate Kong if `access_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `access_token_jwks_uri_client_password`", "type": "string", "x-referenceable": true }, "access_token_jwks_uri_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_jwks_uri`. The default value 0 means no auto-rotation.", "type": "number", "default": 0 }, "access_token_keyset": { "description": "The name of the keyset containing signing keys.", "type": "string", "default": "kong" }, "access_token_keyset_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `access_token_keyset` is an https uri that requires mTLS Auth.", "type": "object", "properties": { "id": { "type": "string" } }, "x-foreign": true }, "access_token_keyset_client_password": { "description": "The client password that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_username`", "type": "string", "x-encrypted": true, "x-referenceable": true }, "access_token_keyset_client_username": { "description": "The client username that will be used to authenticate Kong if `access_token_keyset` is a uri that requires Basic Auth. Should be configured together with `access_token_keyset_client_password`", "type": "string", "x-referenceable": true }, "access_token_keyset_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `access_token_keyset`. The default value 0 means no auto-rotation.", "type": "number", "default": 0 }, "access_token_leeway": { "description": "Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to the token's `exp` claim before checking token expiry against Kong servers' current time in seconds. You can disable access token `expiry` verification altogether with `config.verify_access_token_expiry`.", "type": "number", "default": 0 }, "access_token_notbefore_claim": { "description": "Specify the notbefore claim in an access token to verify if the default `nbf` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "nbf" ] }, "access_token_optional": { "description": "If an access token is not provided or no `config.access_token_request_header` is specified, the plugin cannot verify the access token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Use this parameter to allow the request to proceed even when there is no token to check. If the token is provided, then this parameter has no effect", "type": "boolean", "default": false }, "access_token_optional_claims": { "description": "Specify the optional claims of the access token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "access_token_request_header": { "description": "This parameter tells the name of the header where to look for the access token.", "type": "string", "default": "Authorization" }, "access_token_required_claims": { "description": "Specify the required claims that must be present in the access token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "access_token_scopes_claim": { "description": "Specify the claim in an access token to verify against values of `config.access_token_scopes_required`.", "type": "array", "items": { "type": "string" }, "default": [ "scope" ] }, "access_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.access_token_scopes_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_signing": { "description": "Quickly turn access token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream.", "type": "boolean", "default": true }, "access_token_signing_algorithm": { "description": "When this plugin sets the upstream header as specified with `config.access_token_upstream_header`, re-signs the original access token using the private keys of the JWT Signer plugin. Specify the algorithm that is used to sign the token. The `config.access_token_issuer` specifies which `keyset` is used to sign the new token issued by Kong using the specified signing algorithm.", "type": "string", "default": "RS256", "enum": [ "ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512" ] }, "access_token_subject_claim": { "description": "Specify the claim in an access token to verify against values of `config.access_token_subjects_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "sub" ] }, "access_token_subjects_allowed": { "description": "The subjects allowed to be present in the access token claim specified by `config.access_token_subject_claim`.", "type": "array", "items": { "type": "string" } }, "access_token_upstream_header": { "description": "Removes the `config.access_token_request_header` from the request after reading its value. With `config.access_token_upstream_header`, you can specify the upstream header where the plugin adds the Kong signed token. If you don't specify a value, such as use `null` or `\"\"` (empty string), the plugin does not even try to sign or re-sign the token.", "type": "string", "default": "Authorization:Bearer" }, "access_token_upstream_leeway": { "description": "If you want to add or subtract (using a negative value) expiry time (in seconds) of the original access token, you can specify a value that is added to the original access token's `exp` claim.", "type": "number", "default": 0 }, "add_access_token_claims": { "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "object", "default": {}, "additionalProperties": { "type": "string" } }, "add_channel_token_claims": { "description": "Add customized claims if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "object", "default": {}, "additionalProperties": { "type": "string" } }, "add_claims": { "description": "Add customized claims to both tokens if they are not present yet. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "object", "default": {}, "additionalProperties": { "type": "string" } }, "cache_access_token_introspection": { "description": "Whether to cache access token introspection results.", "type": "boolean", "default": true }, "cache_channel_token_introspection": { "description": "Whether to cache channel token introspection results.", "type": "boolean", "default": true }, "channel_token_audience_claim": { "description": "Specify the claim in a channel token to verify against values of `config.channel_token_audiences_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "aud" ] }, "channel_token_audiences_allowed": { "description": "The audiences allowed to be present in the channel token claim specified by `config.channel_token_audience_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_consumer_by": { "description": "When the plugin tries to do channel token to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of valid values: `id`, `username`, and `custom_id`.", "type": "array", "items": { "enum": [ "custom_id", "id", "username" ], "type": "string" }, "default": [ "custom_id", "username" ] }, "channel_token_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter. Kong consumers have an `id`, a `username`, and a `custom_id`. If this parameter is enabled but the mapping fails, such as when there's a non-existent Kong consumer, the plugin responds with `403 Forbidden`.", "type": "array", "items": { "type": "string" } }, "channel_token_endpoints_ssl_verify": { "description": "Whether to verify the TLS certificate if any of `channel_token_introspection_endpoint`, `channel_token_jwks_uri`, or `channel_token_keyset` is an HTTPS URI.", "type": "boolean", "default": true }, "channel_token_expiry_claim": { "description": "Specify the expiry claim in a channel token to verify if the default `exp` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "exp" ] }, "channel_token_introspection_audience_claim": { "description": "Specify the claim in a channel token introspection to verify against values of `config.channel_token_introspection_audiences_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "aud" ] }, "channel_token_introspection_audiences_allowed": { "description": "The audiences allowed to be present in the channel token introspection claim specified by `config.channel_token_introspection_audience_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_introspection_authorization": { "description": "When using `opaque` channel tokens, and you want to turn on channel token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise the plugin will not try introspection, and instead returns `401 Unauthorized` when using opaque channel tokens.", "type": "string" }, "channel_token_introspection_body_args": { "description": "If you need to pass additional body arguments to introspection endpoint when the plugin introspects the opaque channel token, you can use this config parameter to specify them. You should URL encode the value. For example: `resource=` or `a=1&b=&c`.", "type": "string" }, "channel_token_introspection_consumer_by": { "description": "When the plugin tries to do channel token introspection results to Kong consumer mapping, it tries to find a matching Kong consumer from properties defined using this configuration parameter. The parameter can take an array of values. Valid values are `id`, `username` and `custom_id`.", "type": "array", "items": { "enum": [ "custom_id", "id", "username" ], "type": "string" }, "default": [ "custom_id", "username" ] }, "channel_token_introspection_consumer_claim": { "description": "When you set a value for this parameter, the plugin tries to map an arbitrary claim specified with this configuration parameter (such as `sub` or `username`) in channel token introspection results to Kong consumer entity", "type": "array", "items": { "type": "string" } }, "channel_token_introspection_endpoint": { "description": "When you use `opaque` access tokens and you want to turn on access token introspection, you need to specify the OAuth 2.0 introspection endpoint URI with this configuration parameter. Otherwise, the plugin does not try introspection and returns `401 Unauthorized` instead.", "type": "string" }, "channel_token_introspection_expiry_claim": { "description": "Specify the expiry claim in a channel token to verify if the default `exp` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "exp" ] }, "channel_token_introspection_hint": { "description": "If you need to give `hint` parameter when introspecting a channel token, you can use this parameter to specify the value of such parameter. By default, a `hint` isn't sent with channel token introspection.", "type": "string" }, "channel_token_introspection_issuer_claim": { "description": "Specify the claim in a channel token introspection to verify against values of `config.channel_token_introspection_issuers_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "iss" ] }, "channel_token_introspection_issuers_allowed": { "description": "The issuers allowed to be present in the channel token introspection claim specified by `config.channel_token_introspection_issuer_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_introspection_jwt_claim": { "description": "If your introspection endpoint returns a channel token in one of the keys (or claims) in the introspection results (`JSON`), the plugin can use that value instead of the introspection results when doing expiry verification and signing of the new token issued by Kong.", "type": "array", "items": { "type": "string" } }, "channel_token_introspection_leeway": { "description": "You can use this parameter to adjust clock skew between the token issuer introspection results and Kong. The value will be used to time-related claim verification. For example, it will be added to introspection results (`JSON`) `exp` claim/property before checking token expiry against Kong servers current time (in seconds). You can disable channel token introspection `expiry` verification altogether with `config.verify_channel_token_introspection_expiry`.", "type": "number", "default": 0 }, "channel_token_introspection_notbefore_claim": { "description": "Specify the notbefore claim in a channel token to verify if the default `nbf` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "nbf" ] }, "channel_token_introspection_optional_claims": { "description": "Specify the optional claims of the channel token introspection. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "channel_token_introspection_required_claims": { "description": "Specify the required claims that must be present in the channel token introspection. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "channel_token_introspection_scopes_claim": { "description": "Use this parameter to specify the claim/property in channel token introspection results (`JSON`) to be verified against values of `config.channel_token_introspection_scopes_required`. This supports nested claims.", "type": "array", "items": { "type": "string" }, "default": [ "scope" ] }, "channel_token_introspection_scopes_required": { "description": "Use this parameter to specify the required values (or scopes) that are checked by an introspection claim/property specified by `config.channel_token_introspection_scopes_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_introspection_subject_claim": { "description": "Specify the claim in a channel token to verify against values of `config.channel_token_introspection_subjects_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "sub" ] }, "channel_token_introspection_subjects_allowed": { "description": "The subjects allowed to be present in the channel token introspection claim specified by `config.channel_token_introspection_subject_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_introspection_timeout": { "description": "Timeout in milliseconds for an introspection request. The plugin tries to introspect twice if the first request fails for some reason. If both requests timeout, then the plugin runs two times the `config.access_token_introspection_timeout` on channel token introspection.", "type": "number" }, "channel_token_issuer": { "description": "The `iss` claim of the re-signed channel token is set to this value, which is `kong` by default. The original `iss` claim of the incoming token (possibly introspected) is stored in the `original_iss` claim of the newly signed channel token.", "type": "string", "default": "kong" }, "channel_token_issuer_claim": { "description": "Specify the claim in a channel token to verify against values of `config.channel_token_issuers_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "iss" ] }, "channel_token_issuers_allowed": { "description": "The issuers allowed to be present in the channel token claim specified by `config.channel_token_issuer_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_jwks_uri": { "description": "If you want to use `config.verify_channel_token_signature`, you must specify the URI where the plugin can fetch the public keys (JWKS) to verify the signature of the channel token. If you don't specify a URI and you pass a JWT token to the plugin, then the plugin responds with `401 Unauthorized`.", "type": "string" }, "channel_token_jwks_uri_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `channel_token_jwks_uri` is an https uri that requires mTLS Auth.", "type": "object", "properties": { "id": { "type": "string" } }, "x-foreign": true }, "channel_token_jwks_uri_client_password": { "description": "The client password that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_username`", "type": "string", "x-encrypted": true, "x-referenceable": true }, "channel_token_jwks_uri_client_username": { "description": "The client username that will be used to authenticate Kong if `channel_token_jwks_uri` is a uri that requires Basic Auth. Should be configured together with `channel_token_jwks_uri_client_password`", "type": "string", "x-referenceable": true }, "channel_token_jwks_uri_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_jwks_uri`. The default value 0 means no auto-rotation.", "type": "number", "default": 0 }, "channel_token_keyset": { "description": "The name of the keyset containing signing keys.", "type": "string", "default": "kong" }, "channel_token_keyset_client_certificate": { "description": "The client certificate that will be used to authenticate Kong if `channel_token_keyset` is an https uri that requires mTLS Auth.", "type": "object", "properties": { "id": { "type": "string" } }, "x-foreign": true }, "channel_token_keyset_client_password": { "description": "The client password that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_username`", "type": "string", "x-encrypted": true, "x-referenceable": true }, "channel_token_keyset_client_username": { "description": "The client username that will be used to authenticate Kong if `channel_token_keyset` is a uri that requires Basic Auth. Should be configured together with `channel_token_keyset_client_password`", "type": "string", "x-referenceable": true }, "channel_token_keyset_rotate_period": { "description": "Specify the period (in seconds) to auto-rotate the jwks for `channel_token_keyset`. The default value 0 means no auto-rotation.", "type": "number", "default": 0 }, "channel_token_leeway": { "description": "Adjusts clock skew between the token issuer and Kong. The value will be used to time-related claim verification. For example, it will be added to token's `exp` claim before checking token expiry against Kong servers current time in seconds. You can disable channel token `expiry` verification altogether with `config.verify_channel_token_expiry`.", "type": "number", "default": 0 }, "channel_token_notbefore_claim": { "description": "Specify the notbefore claim in a channel token to verify if the default `nbf` is not used.", "type": "array", "items": { "type": "string" }, "default": [ "nbf" ] }, "channel_token_optional": { "description": "If a channel token is not provided or no `config.channel_token_request_header` is specified, the plugin cannot verify the channel token. In that case, the plugin normally responds with `401 Unauthorized` (client didn't send a token) or `500 Unexpected` (a configuration error). Enable this parameter to allow the request to proceed even when there is no channel token to check. If the channel token is provided, then this parameter has no effect", "type": "boolean", "default": false }, "channel_token_optional_claims": { "description": "Specify the optional claims of the channel token. These claims are only validated when they are present. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "channel_token_request_header": { "description": "This parameter tells the name of the header where to look for the channel token. If you don't want to do anything with the channel token, then you can set this to `null` or `\"\"` (empty string).", "type": "string" }, "channel_token_required_claims": { "description": "Specify the required claims that must be present in the channel token. Every claim is specified by an array. If the array has multiple elements, it means the claim is inside a nested object of the payload.", "type": "array", "items": { "items": { "type": "string" }, "type": "array" } }, "channel_token_scopes_claim": { "description": "Specify the claim in a channel token to verify against values of `config.channel_token_scopes_required`. This supports nested claims.", "type": "array", "items": { "type": "string" }, "default": [ "scope" ] }, "channel_token_scopes_required": { "description": "Specify the required values (or scopes) that are checked by a claim specified by `config.channel_token_scopes_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_signing": { "description": "Quickly turn channel token signing or re-signing off and on as needed. If turned off, the plugin will not send the signed or resigned token to the upstream.", "type": "boolean", "default": true }, "channel_token_signing_algorithm": { "description": "When this plugin sets the upstream header as specified with `config.channel_token_upstream_header`, it also re-signs the original channel token using private keys of this plugin. Specify the algorithm that is used to sign the token.", "type": "string", "default": "RS256", "enum": [ "ES256", "ES384", "ES512", "EdDSA", "HS256", "HS384", "HS512", "PS256", "PS384", "PS512", "RS256", "RS512" ] }, "channel_token_subject_claim": { "description": "Specify the claim in a channel token to verify against values of `config.channel_token_subjects_allowed`.", "type": "array", "items": { "type": "string" }, "default": [ "sub" ] }, "channel_token_subjects_allowed": { "description": "The subjects allowed to be present in the channel token claim specified by `config.channel_token_subject_claim`.", "type": "array", "items": { "type": "string" } }, "channel_token_upstream_header": { "description": "This plugin removes the `config.channel_token_request_header` from the request after reading its value.", "type": "string" }, "channel_token_upstream_leeway": { "description": "If you want to add or perhaps subtract (using negative value) expiry time of the original channel token, you can specify a value that is added to the original channel token's `exp` claim.", "type": "number", "default": 0 }, "enable_access_token_introspection": { "description": "If you don't want to support opaque access tokens, change this configuration parameter to `false` to disable introspection.", "type": "boolean", "default": true }, "enable_channel_token_introspection": { "description": "If you don't want to support opaque channel tokens, disable introspection by changing this configuration parameter to `false`.", "type": "boolean", "default": true }, "enable_hs_signatures": { "description": "Tokens signed with HMAC algorithms such as `HS256`, `HS384`, or `HS512` are not accepted by default. If you need to accept such tokens for verification, enable this setting.", "type": "boolean", "default": false }, "enable_instrumentation": { "description": "Writes log entries with some added information using `ngx.CRIT` (CRITICAL) level.", "type": "boolean", "default": false }, "original_access_token_upstream_header": { "description": "The HTTP header name used to store the original access token.", "type": "string" }, "original_channel_token_upstream_header": { "description": "The HTTP header name used to store the original channel token.", "type": "string" }, "realm": { "description": "When authentication or authorization fails, or there is an unexpected error, the plugin sends a `WWW-Authenticate` header with the `realm` attribute value.", "type": "string" }, "remove_access_token_claims": { "description": "remove claims. It should be an array, and each element is a claim key string.", "type": "array", "items": { "type": "string" }, "default": [] }, "remove_channel_token_claims": { "description": "remove claims. It should be an array, and each element is a claim key string.", "type": "array", "items": { "type": "string" }, "default": [] }, "set_access_token_claims": { "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "object", "default": {}, "additionalProperties": { "type": "string" } }, "set_channel_token_claims": { "description": "Set customized claims. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "object", "default": {}, "additionalProperties": { "type": "string" } }, "set_claims": { "description": "Set customized claims to both tokens. If a claim is already present, it will be overwritten. Value can be a regular or JSON string; if JSON, decoded data is used as the claim's value.", "type": "object", "default": {}, "additionalProperties": { "type": "string" } }, "trust_access_token_introspection": { "description": "Use this parameter to enable and disable further checks on a payload before the new token is signed. If you set this to `true`, the expiry or scopes are not checked on a payload.", "type": "boolean", "default": true }, "trust_channel_token_introspection": { "description": "Providing an opaque channel token for plugin introspection, and verifying expiry and scopes on introspection results may make further payload checks unnecessary before the plugin signs a new token. This also applies when using a JWT token with introspection JSON as per config.channel_token_introspection_jwt_claim. Use this parameter to manage additional payload checks before signing a new token. With true (default), payload's expiry or scopes aren't checked.", "type": "boolean", "default": true }, "verify_access_token_audience": { "description": "Quickly turn off and on the access token required audiences verification, specified with `config.access_token_audiences_required`.", "type": "boolean", "default": true }, "verify_access_token_expiry": { "description": "Quickly turn access token expiry verification off and on as needed.", "type": "boolean", "default": true }, "verify_access_token_introspection_audience": { "description": "Quickly turn off and on the access token introspection required audiences verification, specified with `config.access_token_introspection_audiences_required`.", "type": "boolean", "default": true }, "verify_access_token_introspection_expiry": { "description": "Quickly turn access token introspection expiry verification off and on as needed.", "type": "boolean", "default": true }, "verify_access_token_introspection_issuer": { "description": "Quickly turn off and on the access token introspection allowed issuers verification, specified with `config.access_token_introspection_issuers_allowed`.", "type": "boolean", "default": true }, "verify_access_token_introspection_notbefore": { "description": "Quickly turn off and on the access token introspection notbefore verification.", "type": "boolean", "default": false }, "verify_access_token_introspection_scopes": { "description": "Quickly turn off and on the access token introspection scopes verification, specified with `config.access_token_introspection_scopes_required`.", "type": "boolean", "default": true }, "verify_access_token_introspection_subject": { "description": "Quickly turn off and on the access token introspection required subjects verification, specified with `config.access_token_introspection_subjects_required`.", "type": "boolean", "default": true }, "verify_access_token_issuer": { "description": "Quickly turn off and on the access token allowed issuers verification, specified with `config.access_token_issuers_allowed`.", "type": "boolean", "default": true }, "verify_access_token_notbefore": { "description": "Quickly turn off and on the access token notbefore verification.", "type": "boolean", "default": false }, "verify_access_token_scopes": { "description": "Quickly turn off and on the access token required scopes verification, specified with `config.access_token_scopes_required`.", "type": "boolean", "default": true }, "verify_access_token_signature": { "description": "Quickly turn access token signature verification off and on as needed.", "type": "boolean", "default": true }, "verify_access_token_subject": { "description": "Quickly turn off and on the access token required subjects verification, specified with `config.access_token_subjects_required`.", "type": "boolean", "default": true }, "verify_channel_token_audience": { "description": "Quickly turn off and on the channel token required audiences verification, specified with `config.channel_token_audiences_required`.", "type": "boolean", "default": true }, "verify_channel_token_expiry": { "type": "boolean", "default": true }, "verify_channel_token_introspection_audience": { "description": "Quickly turn off and on the channel token introspection required audiences verification, specified with `config.channel_token_introspection_audiences_required`.", "type": "boolean", "default": true }, "verify_channel_token_introspection_expiry": { "description": "Quickly turn on/off the channel token introspection expiry verification.", "type": "boolean", "default": true }, "verify_channel_token_introspection_issuer": { "description": "Quickly turn off and on the channel token introspection allowed issuers verification, specified with `config.channel_token_introspection_issuers_allowed`.", "type": "boolean", "default": true }, "verify_channel_token_introspection_notbefore": { "description": "Quickly turn off and on the channel token introspection notbefore verification.", "type": "boolean", "default": false }, "verify_channel_token_introspection_scopes": { "description": "Quickly turn on/off the channel token introspection scopes verification specified with `config.channel_token_introspection_scopes_required`.", "type": "boolean", "default": true }, "verify_channel_token_introspection_subject": { "description": "Quickly turn off and on the channel token introspection required subjects verification, specified with `config.channel_token_introspection_subjects_required`.", "type": "boolean", "default": true }, "verify_channel_token_issuer": { "description": "Quickly turn off and on the channel token allowed issuers verification, specified with `config.channel_token_issuers_allowed`.", "type": "boolean", "default": true }, "verify_channel_token_notbefore": { "description": "Quickly turn off and on the channel token notbefore verification.", "type": "boolean", "default": false }, "verify_channel_token_scopes": { "description": "Quickly turn on/off the channel token required scopes verification specified with `config.channel_token_scopes_required`.", "type": "boolean", "default": true }, "verify_channel_token_signature": { "description": "Quickly turn on/off the channel token signature verification.", "type": "boolean", "default": true }, "verify_channel_token_subject": { "description": "Quickly turn off and on the channel token required subjects verification, specified with `config.channel_token_subjects_required`.", "type": "boolean", "default": true } } }, "name": { "const": "jwt-signer" }, "protocols": { "description": "A set of strings representing HTTP protocols.", "type": "array", "items": { "enum": [ "grpc", "grpcs", "http", "https" ], "type": "string" }, "format": "set", "default": [ "grpc", "grpcs", "http", "https" ] }, "route": { "description": "If set, the plugin will only activate when receiving requests via the specified route. Leave unset for the plugin to activate regardless of the route being used.", "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" } } }, "service": { "description": "If set, the plugin will only activate when receiving requests via one of the routes belonging to the specified Service. Leave unset for the plugin to activate regardless of the Service being matched.", "type": "object", "additionalProperties": false, "properties": { "id": { "type": "string" } } } } }